Galxe Protocol Compromised: Over $160k Drained
Galxe's website suffered a security breach, leading to a phishing attack and funds being stolen. Similar to a previous incident, the attacker may have ties to Russia.
On October 6th, Galxe's website went offline for approximately an hour. The company promptly reported on X (formerly known as Twitter) that its website was down, and within 40 minutes, confirmed a security breach affecting its Domain Name System (DNS) record. They cautioned users against visiting the domain until the issue was resolved. Even after the website's restoration, some users reported that Google had blocked it.
Dear Galxe Community,
We recognize the impact that recent events have had upon our users and are quickly working to take remedial action. The Galxe security team continues to take an aggressive approach to protect your data, funds and digital assets.
Steps You Should Take:
❗️Do… — Galxe (@Galxe) October 6, 2023
A Web3 cybersecurity service pinpointed the nature of the attack, explaining that Galxe's DNS records were maliciously modified to redirect users to a phishing website designed to drain users' wallets. Crypto detective ZachXBT highlighted that funds were being siphoned from Galxe, with the associated wallet continuing to accumulate funds even after the website's restoration. By 17:15 UTC, the stolen amount was approximately $160,000, as per DeBank.
$148k has already been stolen by the Galxe hacker.
The hacker is using the same smart contract on 10 networks:
0x00008c6dc619b0ea53dd8d02b58bb726afc40000
Please revoke this smart contract ASAP on:
❍ Ethereum
❍ Optimism
❍ Arbitrum
❍ BNB Chain
❍ Base
❍ Polygon
❍… pic.twitter.com/iUyAenfJPu — FIP Crypto (@FIP_Crypto) October 6, 2023
ZachXBT drew parallels between the Galxe exploit and a previous attack on the Balancer protocol on September 19th. This was the second time Balancer had been targeted within a month. The Balancer team had described the incident as a social engineering attack on its DNS server, executed by a crypto wallet drainer known as Angel Drainer. SlowMist, a blockchain security firm, hinted at the attacker's possible association with Russia.
Stolen funds are being directed to here
0x4103baBcFA68E97b4a29fa0b3C94D66afCF6163d
It seems to likely be the same scammer who did the Balance frontend attack recently. pic.twitter.com/SovOGGn8GE — ZachXBT (@zachxbt) October 6, 2023
A spokesperson for Galxe reached out with a statement:
“The Galxe website is offline. We will bring it back online once the correct DNS records are propagated globally. Your funds and information are safe as long as no approval of any transaction on Galxe has been made in the past 8 hrs. We took back the domain ownership at 9am PST, October 6th, and enhanced the security protection of the account with domain registrar service Dynadot. In our efforts to address this situation, we have engaged with the appropriate law enforcement authorities."
The third quarter of 2023 witnessed a dramatic surge in losses to Web3 projects compared to Q3 2022. A report from the security platform Immunefi highlighted a year-on-year increase in attacks from 30% to 76%. The total losses for Q3 2023 approached a staggering $686 million. The most significant loss during this period was attributed to the Mixin hack on September 25th.